Re: [quicwg/base-drafts] Allow connections to share a port by adding restrictions on zero-length connection IDs (#2851)

[Jana Iyengar <notifications@github.com>]

janaiyengar commented on this pull request.



> @@ -924,11 +924,19 @@ selected by the client, both to ensure correct routing toward the client and to
 allow the client to validate that the packet is in response to an Initial
 packet.
 
-A zero-length connection ID MAY be used when the connection ID is not needed for
-routing and the address/port tuple of packets is sufficient to identify a
-connection. An endpoint whose peer has selected a zero-length connection ID MUST
-continue to use a zero-length connection ID for the lifetime of the connection
-and MUST NOT send packets from any other local address.
+A zero-length connection ID can be used when a connection ID is not needed
+to route to the correct endpoint. An endpoint SHOULD NOT use a zero-length
+connection ID unless it can use only its IP address and port to identify a
+connection. The IP address and port used by a peer cannot be used for routing

I thought we wanted to say that those weren't adequate on their own. I would also change this to active. "An endpoint SHOULD NOT use only the peer's IP address and port ..."

I would actually suggest dropping this sentence and the sentence after this one. You can go straight to the multiplexing sentence.

> @@ -924,11 +924,19 @@ selected by the client, both to ensure correct routing toward the client and to
 allow the client to validate that the packet is in response to an Initial
 packet.
 
-A zero-length connection ID MAY be used when the connection ID is not needed for
-routing and the address/port tuple of packets is sufficient to identify a
-connection. An endpoint whose peer has selected a zero-length connection ID MUST
-continue to use a zero-length connection ID for the lifetime of the connection
-and MUST NOT send packets from any other local address.
+A zero-length connection ID can be used when a connection ID is not needed
+to route to the correct endpoint. An endpoint SHOULD NOT use a zero-length
+connection ID unless it can use only its IP address and port to identify a
+connection. The IP address and port used by a peer cannot be used for routing
+or connection identification as these values can change during a connection's
+lifetime, and the peer can reuse a given address and port for additional
+connections. Similarly, the peer's connection IDs cannot be used for routing
+or identification, as they are not transmitted in the short header packets
+they send. Note that multiplexing while using zero-length connection IDs and

Suggested: "Multiplexing connections on the same local IP address and port while using zero-length connection IDs will cause failures in the presence of connection migration, NAT rebinding, and client
port reuse."  Drop the rest of this sentence -- its redundant with the "SHOULD NOT" above.


> @@ -924,11 +924,19 @@ selected by the client, both to ensure correct routing toward the client and to
 allow the client to validate that the packet is in response to an Initial
 packet.
 
-A zero-length connection ID MAY be used when the connection ID is not needed for
-routing and the address/port tuple of packets is sufficient to identify a
-connection. An endpoint whose peer has selected a zero-length connection ID MUST
-continue to use a zero-length connection ID for the lifetime of the connection
-and MUST NOT send packets from any other local address.
+A zero-length connection ID can be used when a connection ID is not needed
+to route to the correct endpoint. An endpoint SHOULD NOT use a zero-length
+connection ID unless it can use only its IP address and port to identify a

```suggestion
connection ID unless it can use only its local IP address and port to identify a
```

> -connection. An endpoint whose peer has selected a zero-length connection ID MUST
-continue to use a zero-length connection ID for the lifetime of the connection
-and MUST NOT send packets from any other local address.
+A zero-length connection ID can be used when a connection ID is not needed
+to route to the correct endpoint. An endpoint SHOULD NOT use a zero-length
+connection ID unless it can use only its IP address and port to identify a
+connection. The IP address and port used by a peer cannot be used for routing
+or connection identification as these values can change during a connection's
+lifetime, and the peer can reuse a given address and port for additional
+connections. Similarly, the peer's connection IDs cannot be used for routing
+or identification, as they are not transmitted in the short header packets
+they send. Note that multiplexing while using zero-length connection IDs and
+relying on the four-tuple of IP addresses and ports for routing will cause
+failures in the presence of connection migration, NAT rebinding, and client
+port reuse; and therefore MUST NOT be done unless an endpoint is certain that
+those protocol features are not in use.

I agree with @igorlord that there's redundancy here. Specifically, "endpoint SHOULD NOT use a zero-length connection ID unless it can use only its IP address and port" is at odds with "multiplexing while using zero-length connection IDs [...] MUST NOT be done". I've suggested fixes above.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/2851#pullrequestreview-274623600